Former White House CIO Theresa Payton: 'There Are Grave Concerns About Election Interference'

By Mick Brady
Oct 26, 2018 5:00 AM PT

Theresa Payton, CEO of
Fortalice Solutions, is one of the most influential experts on cybersecurity and IT strategy in the United States. She is an authority on Internet security, data breaches and fraud mitigation.

She served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.

With the U.S. midterm elections fast approaching, both Payton's observations about the current cybersecurity threat level and her advice about shoring up the nation's defenses carry special weight.

In this exclusive interview, she also shares her views on social networking, privacy, and the changing playing field for women who aspire to leadership roles in technology.

TechNewsWorld: What is the chief cyberthreat to the upcoming midterm elections?

Theresa Payton: My biggest worry and concern is that citizens will not trust election results and that the election process will lose legitimacy. We know that the Department of Homeland Security, working with state election officials, have raced against the clock to secure voting systems. Our U.S. intelligence agencies have repeatedly been on the record stating there is no evidence that cybercriminals modified or deleted any votes in 2016.

The next area of concern is for the communications, contacts, and digital campaigns of candidates being broken into and doxed. While the news focuses on securing the votes and the voter databases of the midterm elections, there is not a lot of attention on whether or not campaigns take threats targeting their campaigns seriously. Nothing would hit closer to home for a candidate than if their election was hacked and they lost -- or won.

"Cyber" is certainly a buzzword, but it's not a word without meaning. With the onslaught of breaches, candidates should be laser-focused on cybersecurity.

TNW: What should federal officials do to shore up election security? What should state and local governments do? Where does the buck stop?

Payton: It's crucial that elected officials on the left and right not politicize an issue in the short term that will have grave long-term consequences for national security.

Defensively, we need to harden our election infrastructure at the local level. This is the responsibility of the Department of Homeland Security.

DHS needs to continue to work at the local level with state election officials, but also to provide much more robust cybersecurity capabilities for protection and detection at the campaign level.

We also need to be sure that the intelligence and homeland security community is effectively sharing information and tools, techniques and tactics.

TNW: How serious are concerns that election interference might be caused by tampering with back-end election systems? What can federal agencies do to address the problems of outdated voting equipment, inadequate election-verification procedures, and other potential vulnerabilities? Is there an argument to be made for some level of mandatory federal oversight of state and local voter systems?

Payton: There are grave concerns about election interference and the race to secure them, globally, is under way. The idea that voter databases could be seeded with falsified data or modified has been around for decades, but the technical know-how and motive has caught up with that idea. Election officials in a race towards automation and efficiency may have helped criminals along, but it's not too late if we act now.

Today, there are entire countries totally relying on electronic voting: Brazil, since 2000, has employed electronic voting machines, and in 2010 had 135 million electronic voters. India had 380 million electronic voters for its Parliament election in 2004.

It is easy to see why electronic voting is the wave of the future and how the United States could model its own voting system after these countries. It's faster, cheaper and more accessible for those with disabilities. Also, would you miss the experience of, or the reporting of, the every-election-day headline of "Long Lines at the Polls Today"? Probably not. That is certainly less painful than a recount though.

We are headed towards electronic voting as the sole system we use despite these facts:

"The U.S. intelligence community developed substantial evidence that state websites or voter registration
systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election -- but never told the states involved, according to multiple U.S. officials," NBC News reported earlier this year.

Russia hacked the Democratic National Committee's emails with the intention to "interfere with the U.S. election process," according to the director of national intelligence, James R. Clapper Jr., and the Department of Homeland Security.

As far as we know, despite the scans and alarm bells, no outside entity has changed any records in the registration database.

Scams such as "text your vote" were more prevalent than ever, and will increase as electronic voting becomes more widespread.

The good news is our government took this very seriously. Prior to the midterm elections, the Department of Homeland Security offered state election officials "cyber hygiene scans" to remotely search for vulnerabilities in election systems. They also conducted threat briefings and onsite reviews, as well as released a memo of "best practices" -- guidance how best to secure their voter databases.

Some have called for more federal oversight and moving towards a more restrictive security model, but the states own the voting process. Providing year-round briefings from DHS, FBI, CIA, and NSA would prove to be very helpful over time.

Also, we have to remember elections are decentralized. Sometimes there is security in obscurity. Each state in our country, plus the District of Columbia, run their own election operations, including voter databases. A hostile nation state could not feasibly wipe out each system with one wave of their magic wand.

How we vote, though, is just one-way our elections could be compromised. Another concern going forward must be disruption of Internet traffic, as we saw occurred just days before the last presidential election cycle on Oct. 21st, 2016, when the Mirai botnet crippled part of the Internet for hours.

A massive Distributed Denial of Service (DDoS) attacked a host server causing major disruptions to some of the most highly visited websites in the United States. The attack was in two waves, first on the East Coast and then on the West Coast.

As our country votes on Election Day in different time zones, and polling stations close at different times, the similarity is chilling.

However, we need everyone to turn out to vote. The focus on bolstering our election security defenses is reassuring. What we know is the warning signs are there. As we move towards the future, and focus on creating and protecting a new system to collect our votes, we need to protect the one we already have.

Two things you can be sure of after this year's election: Eventually, every vote you cast in a United States election will be electronic, and one of those elections will be hacked. No doubt about it. But the recount in 2016 in Wisconsin reminds us all why we need a backup.

TNW: What are some ways candidates and campaigns can shore up their cybersecurity without draining their war chests? What are some of the practices they should implement in the very early days? A campaign that's very secure ultimately might lose due to lack of visibility. How can campaigns strike the right balance?

Payton: Never before have campaigns collected so much essential information that would be lucrative to so many cybercriminals. Credit card numbers, bank account information, addresses, online identities. The assets go on and on, and cybercriminals are just like bank robbers in the old days: They follow the money.

That is why in today's day and age, if you are on a campaign, whether it be state, national or local, you need to be as vigilant about protecting data as any business. Otherwise, you will lose your customers -- also known as constituents and voters.

Anyone on a tight budget can follow these guidelines to protect their campaign assets:

Make it as hard as possible on cybercriminals by separating donor information details onto a completely separate domain name with separate user IDs and passwords from the campaign. For example, your campaign domain might be VoteSallySue.com, but donor details would be stored at MustProtectDetails.com.

Using that same practice, run all of your internal communications on a domain name that's not the campaign name -- i.e., email addresses should not be henry@VoteSallySue.com but rather henry@MustProtectDetails.com. Increase the level of protection for internal messages by using encrypted messaging platforms for internal communications, such as Signal or Threema.

Also, be sure to encrypt all of your campaign's donor data. We have yet to hear a report of a campaign's donor data being hacked and used for identity theft, but we will -- of that I am sure. It would be too lucrative not to try. Once it is hacked, it will be hard to restore confidence in your operation. Just ask any major retailer, bank or organization who has recently been hacked, and they will tell you. I don't even need to use their names, you know the headlines.

Train technology and campaign staff to spot spearphishing emails and scams. Oh, sure, you think everyone knows not to "click on that link," but recent studies illustrate doing just that is the No. 1 cause of breaches among employees.

Another safeguard that raises the bar in terms of security is implementing two-factor authentication wherever feasible. When you use a platform that employs two-factor authentication, don't you feel safer? Possibly annoyed, as well, but certainly reassured that the extra step has been taken to secure your data. Don't you want the electorate to feel the same way?

Finally, post a privacy policy that's easy to read, easy to find, and you'll find voters have more confidence in just your agenda.

TNW: How well -- or poorly -- have Facebook, Twitter, Google and other tech companies addressed the problems that surfaced in 2016?

Payton: I was encouraged to hear that with less than three weeks to go for the U.S. mid-terms, that Facebook has stood up a war room to combat social media community manipulation as the world heads into elections this fall and winter.

They have also said they have war-gamed a number of scenarios to ensure their team is better prepared for elections around the globe. Much is at stake, so the fact that Facebook also integrated the apps they have acquired -- such as WhatsApp and Instagram -- into the mix of the war room is a great idea.

If I were to give them advice, I would suggest that another great step to take would be to create a way to physically embed representatives from law enforcement, other social media companies -- including Twitter, Linkedin and Google -- and to allow election officials around the globe to have a "red phone" access to the war room.

TNW: What are some of the most pressing cybersecurity problems facing social networks, apart from their use as political tools?

Payton: The ability to change their business and moderator models, in real time, to morph quickly to shut down fake personas, fake ads, and fake messaging promoting political espionage, even if it means higher expenses and loss of revenue. Social media companies have made a lot of progress since the 2016 presidential elections and claims of global-wide election meddling, but the criminals have changed tactics and it's harder to spot them.

On the heels of the August 2018 news that Microsoft seized six domains that Russian Internet trolls planned to use for political espionage phishing attacks around the same time that Facebook deactivated 652 fake accounts and pages tied to misinformation campaigns, Alex Stamos, the former Facebook security chief, posted an essay in Lawfare, and stated that it was "too late to protect the 2018 elections."

TNW: What role should the government play in protecting citizens' privacy online?

Payton: As the Internet evolves, laws and regulations must change more rapidly to reflect societal issues and problems created by new types of behavior taking place online. Never before has the world had access to statements, pictures, video and criticism by millions of individuals who are not public figures.

The Internet provides us with places to document our lives, thoughts and preferences online, and then holds that material for an indefinite period of time -- long after we might have outgrown our own postings.

It also provides places where we can criticize our bosses, local building contractors, or polluters.

This digital diary of our lives leaves tattered pages of our past that we may forget about because we cannot see them, but they could be collected, collated, and used to judge us or discriminate against us without due process. The government needs to think ahead and determine which laws need to be enacted to protect our right to opt in and out of privacy features and to own our digital lives and footprints.

TNW: What is your opinion of Europe's "right to be forgotten" law? Do you think a similar law would make sense in the United States?

Payton: The European Union's "right to be forgotten" sets an interesting precedent, not just for its member countries but for citizens around the world. It is too early to know what the long-term impacts of the EU's decision to enforce a "right to be forgotten" with technology companies will be. However, it's a safe bet the law will evolve and not disappear.

There are concerns that giving you or organizations more control of their Internet identity, under a "right to be forgotten" clause, could lead to [censorship] of the Internet. Free-speech advocates around the globe are concerned that the lack of court precedent and the gray areas of the EU law could lead to pressure for all tech companies to remove results across the globe, delinking news stories and other information upon an individual's request.

A quick history lesson of how this law came about: A Spanish citizen filed a complaint with Spain's Data Protection Agency and indicated that Google Spain and Google Inc. had violated his privacy rights by posting an auction notice that his home was repossessed. The matter was resolved years earlier but since "delete is never really delete" and "the Internet never forgets," the personal data about his financial matters haunted his reputation online.

He requested that Google Spain and Google Inc. be required to remove the old news so it would not show up in search engine results. The Spanish court system reviewed the case and referred it to the European Union's Court of Justice.

"On the 'Right to be Forgotten': Individuals have the right -- under certain conditions -- to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing… . A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual's private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant."

In the U.S., implementing a federal law might be tempting, but the challenge is that the ability to comply with the law will be complex and expensive. This could mean that the next startup will be crushed under compliance and therefore innovation and startups will die before they can get launched.

However, we do need a central place of advocacy and a form of a consumer privacy bill of rights. We have remedies to address issues but it's a complex web of laws that apply to the Internet. Technology changes society faster than the law can react, so U.S. laws relating to the Internet will always lag behind.

We have a Better Business Bureau to help us with bad business experiences. We have the FTC and FCC to assist us with commerce and communications. Individuals need an advocacy group to appeal to, and for assistance in navigating online defamation, reputational risk, and an opportunity to scrub their online persona.

TNW: What is your attitude toward social networking? What's your advice to others regarding the trustworthiness of social networks?

Payton: Social networking can offer us amazing ways to stay in touch with colleagues, friends and loved ones. It's a personal decision as to how involved you are online, how many platforms you interact with, and how much of your life that you digitally record or transact online.

If you want to be on social media but don't want to broadcast everything about you, I tell my clients to turn off location tracking -- or geolocation tools -- in social media. That way you aren't "checking in" places. Cybercriminals use these check-ins to develop your pattern of life and to track your circle of trust. If a cybercriminal has these two patterns, it makes it easier for them to hack your accounts.

Register for an online service that will give you a phone number, such as Google Voice or Talkatone. Provide that number on social media and forward it to your real cellphone. Avoid personality surveys and other surveys -- they are often very fun to do, but the information posted often gives digital clues to what you may use for your password.

Always turn on two-factor authentication for your accounts, and tie your social media accounts to an email address dedicated to social media. Turn on alerts to notify you if there is a login that is outside your normal login patterns.

The amount of personal information you choose to share is up to you -- and everyone has to find that limit of what is too much -- but at the very least, never give out personally identifiable information like your address, DOB, financial information, etc.

TNW: As the first woman to serve in the role of CIO at the White House, under President George W. Bush, how did you feel about becoming an instant role model for girls and young women interested in tech careers?

Payton: It's an honor to think about the opportunity to give back and to help along anyone that wants to pursue this career path, especially young women. Candidly, we need everyone to fight the good fight. My heart breaks when I see computer and engineering classes with very few women in them.

We did not reach out to the women early enough, and when I talk to young women in high school and college about considering cybersecurity as a career, many of then tell me that since they have had no prior exposure they are worried about failing, and that it's "too late now to experiment." To which I tell them that it's always a great time to experiment and learn new things!

Prior to taking on the role at the White House, I had been very active in women in technology groups and was passionately recruiting young women to consider technology careers. At the time I was offered the role and accepted, I candidly didn't have an immediate aha moment about being a role model for women because of that specific job. I was most focused on making sure the mission was a success. I see it now and it's an honor to be able to be a role model and I strive to live up to that expectation.

The cybersecurity industry can do more to help women understand the crucial role that cybersecurity professionals play that make a difference in our everyday lives. Unfortunately, hackers, both ethical and unethical, are often depicted as men wearing hoodies over their faces, making it difficult for women to picture themselves in that role as a realistic career choice, because they don't think they have anything in common with hackers.

Studies show that women want to work in professions that help people -- where they are making a difference. When you stop a hacker from stealing someone's identity, you've made a difference in someone's life or business. At the end of the day, the victims of hackers are people, and women can make a tremendous difference in this field. This is something the industry as a whole needs to do a better job of showing women.

TNW: You're now the CEO of a company in the private sector. Can you tell us a little about what Fortalice Solutions does, its mission, and your priorities in guiding it?

Payton: Fortalice Solutions is a team of cybercrime fighters. We hunt bad people from behind a keyboard to protect what matters most to nations, business and people. We combine the sharpest minds in cybersecurity with active intelligence operations to secure everything from government and corporate data and intellectual property, to individuals' privacy and security.

At Fortalice, our strengths lie in studying the adversary and outmaneuvering them with our human-first, technology-second approaches.

TNW: How have attitudes toward women in powerful positions changed -- for better or worse -- in recent years?

Payton: Although thankfully this is beginning to change, I am typically the only woman in the room -- and that was common in banking as well as technology. I had to learn how to stand up for myself and ensure my voice was heard. I've had more than my fair share of times when my technical acumen has been discounted because I'm female.

I've learned that grace and tact go a long way, and I'm very, very proud to say that my company is nearly dead-equal male/female. We even started an organization called "Help A Sister Up" -- you can find us on LinkedIn -- that's
dedicated to advancing women in technology and serving as a rallying point for them and their male advocates. We post job openings, interesting articles, avenues for discussion. Please join us!

TNW: What's your advice to girls and women entering technological fields about whether to seek employment in the private or the public sector? What are some of the pros and cons, particularly from the standpoint of gender equality?

Payton: An April 2013 survey of Women in Technology found that 45 percent of respondents noted a "lack of female role models or [the encouragement to pursue a degree in a technology-related field]."

It's been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem -- we don't have enough women in cyber because there aren't enough women role models in cyber.

While connecting with other women has had its challenges, there are wonderful women in cyber today. Look at Linda Hudson -- currently the chairman and CEO of The Cardea Group and former president and CEO of BAE Systems Inc. -- shattering the glass ceiling for women behind her. Also, up-and-comer Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel.

I've been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my next point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube.

You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python.
Ask your colleagues to show you their favorite geek gadget or ethical hack.

There are some excellent security frameworks and guidance available for free online, such as the NIST framework, CIS Critical Security Controls, SSAE 16, and discussions on GDPR. Leverage social media to hear what's on the minds of security experts. You must be a constant student of your profession in this field.